SSH

Configure SSH access for secure remote management of your Cisco switch.

Step 1: Set hostname and domain name SSH requires a hostname and domain name to generate the RSA key pair.

1
2
3
4

Switch>enable
Switch#configure terminal
Switch(config)#hostname SW1
SW1(config)#ip domain-name company.local

Step 2: Create local user account Set up a local user with privilege level 15 for full administrative access.

1
2

SW1(config)#username admin privilege 15 secret Cisco123!
SW1(config)#username netadmin privilege 15 secret SecurePass456

Step 3: Generate RSA encryption keys Create the cryptographic keys needed for SSH. Use at least 1024 bits for security.

1
2
3
4
5
6
7

SW1(config)#crypto key generate rsa
The name for the keys will be: SW1.company.local
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048

Step 4: Configure VTY lines for SSH Set the virtual terminal lines to accept only SSH connections and use local authentication.

1
2
3
4
5

SW1(config)#line vty 0 15
SW1(config-line)#transport input ssh
SW1(config-line)#login local
SW1(config-line)#exec-timeout 10 0
SW1(config-line)#exit

Step 5: Enable SSH version 2 and set timeout Configure SSH version 2 for better security and set connection parameters.

1
2
3
4

SW1(config)#ip ssh version 2
SW1(config)#ip ssh time-out 60
SW1(config)#ip ssh authentication-retries 3
SW1(config)#end

Step 6: Configure management IP address Assign an IP address to a VLAN interface for SSH connectivity.

1
2
3
4
5
6

SW1#configure terminal
SW1(config)#interface vlan 1
SW1(config-if)#ip address 192.168.1.10 255.255.255.0
SW1(config-if)#no shutdown
SW1(config-if)#exit
SW1(config)#ip default-gateway 192.168.1.1

Step 7: Verify SSH configuration

1
2
3
4

SW1#show ip ssh
SW1#show ssh
SW1#show running-config | section line vty
SW1#show users

Key Points:

  • SSH requires both hostname and domain-name to be configured
  • RSA key size of 1024 bits minimum, 2048 recommended for security
  • transport input ssh blocks Telnet access completely
  • Save configuration with copy running-config startup-config after testing
  • Test SSH access before disconnecting console cable